The National Security Agency (NSA) and its British counterpart have successfully defeated encryption technologies used by a broad swath of online services, including those provided by Google, Facebook, Microsoft, and Yahoo, according to new reports published by The New York Times, Pro Publica, and The Guardian. The revelations, which include backdoors built into some technologies, raise troubling questions about the security that hundreds of millions of people rely on to keep their most intimate and business-sensitive secrets private in an increasingly networked world.

The reports, published simultaneously by the NYT, Pro Publica, and The Guardian, are based on newly disclosed documents provided by former NSA contractor Edward Snowden. They reveal a highly classified program codenamed Bullrun, which according to the reports relied on a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion" to undermine basic staples of Internet privacy, including virtual private networks (VPNs) and the widely used secure sockets layer (SSL) and transport layer security (TLS) protocols.

"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," the NYT reported, quoting a 2010 memo describing a briefing of NSA capabilities to employees of the Government Communications Headquarters, or GCHQ. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."

When British analysts were briefed on the success, according to another memo, "those not already briefed were gobsmacked!" the NYT added.

The newly aired documents underscore the difficult balancing act that intelligence agencies must perform when monitoring terrorists and other state enemies. While officials say the ability to decode communications intercepted from suspects is crucial to national security, critics warn that the undermining of widely used encryption technologies could have an unintended boomerang effect that harms US companies and citizens.

"The risk is that when you build a backdoor into systems, you're not the only one to exploit it," Matt Green, a Johns Hopkins professor specializing in cryptography, told the NYT. "Those backdoors could work against US communications, too."

Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society, told The Guardian, "Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the Internet."

Neither report made clear exactly how the intelligence agencies are bypassing VPNs, SSL, and TLS, which are all presumed to provide nearly impenetrable cryptographic assurance when used correctly. But the NYT specifically mentions all three—as well as an unspecified protection used in 4G smartphones—as being the focus of the NSA's most intensive efforts.

Similarly, for three years, the GCHQ looked into ways to decode encrypted traffic from Google, Facebook, Microsoft, and Yahoo. By 2012, the British agency developed "new access opportunities" into Google systems, the paper reported. By 2010, a GCHQ counterencryption program, dubbed Edgehill, aspired or was able—the NYT and The Guardian seem to disagree on this point—to decode VPN traffic for 30 targets and set a goal of an additional 300 by 2015.

The reports also discuss the intelligence agencies working to get Internet companies' help in decrypted traffic by eliciting their voluntary cooperation, forcing their cooperation through court orders, or hacking into their networks to steal encryption keys or surreptitiously alter their software or hardware. Documents provided by Snowden said the NSA spends $250 million per year on a Sigint Enabling Project that "actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them exploitable. Earlier this year, the program found ways inside "some of the encryption chips" used by businesses and governments, either by working with chipmakers to insert backdoors or by surreptitiously exploiting existing security flaws, the NYT said.

The paper went on to describe the covert hand NSA agents played in "deliberately weakening the international encryption standards adopted by developers." It cited a goal in a 2013 budget request to "influence policies, standards, and specifications for commercial public key technologies. The report—written by Nicole Perlroth, Jeff Larson, and Scott Shane—said, "Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members."

Promoted Comments

... So nice to know that securing our entire economic infrastructure is less important than being able to read my email.

These standards are the bedrock that every single financial transaction on the internet relies on.

If you have any kind of remote access into your work place, say at a bank or a loan company, a game company, or a power plant, these security standards are what make it possible for you to do this securely, without someone else watching and coming in behind you.

Without them being truly secure, we have no ecommerce, we have no remote working, we have no Amazon or Ebay, and the economy of not just the US, but most of the modern world, will crumble.

Yes, that risk is surely worth the benefit of the NSA being able to read our email, right?

What I'm reading here is that the NSA has not gained the capability to attack encryption protocols directly; rather, they've found ways to gain access to the data before or after it is encrypted, or they have gained access to the encryption keys themselves. Further, the methods they use to gain such access are extremely fragile, mainly because they rely on subterfuge and lack of vigilance from their targets.

This is enormously important, because it means those who value their privacy still have the tools to fight back, and even a slight increase in vigilance will be enough to shut the NSA out.

The reports also discuss the intelligence agencies working to get Internet companies' help in decrypted traffic by eliciting their voluntary cooperation, forcing their cooperation through court orders, or hacking into their networks to steal encryption keys or surreptitiously alter their software or hardware. Documents provided by Snowden said the NSA spends $250 million per year on a Sigint Enabling Project that "actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them exploitable. Earlier this year, the program found ways inside "some of the encryption chips" used by businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws, the NYT said.

I'm tentatively thinking that operational decryption of TLS/SSL is about subverting certificate authorities, not about code-breaking. In the Diginotar case, an arbitrary CA issued certs for Google. That was detectable by any user exposed to the public cert and chain, and is widely mitigated by public-key pinning. Decryption and MITM attacks become undetectable and public-key pinning useless if the attacker has copies of the private key, however, which could be supplied by the CA wittingly or unwittingly.

Actually, this is sadly incorrect.

You provide the CA with a Certificate Signature Request, which provides your public key and any other information that they need to sign the public key, the CA never gets your private key.

This compromise seems to require one of the following, getting the private keys from each service they wish to monitor, breaking RSA or AES, breaking SSL separately from RSA or AES, or subverting the standards in question from the start.

I am honestly not sure which in the most frightening, but their budget lines show that they are actively trying the latter.

If you have the root keys you can build the cert chain to man-in-the-middle. You'd impersonate the site to the user and user to the site. You never need the private keys of the site.

But you'd need hardware sitting on the backbone to do the attack fast enough...

So when "hacktivists" violate security protocols and break into corporate databases and gather data, it's all in the public good, in part because they've shown us just how weak and vulnerable our security methods are. At least, that seems to be the common reaction amongst many in the tech community.

But when a government agency shows us how weak and vulnerable the security protocols we've been relying on for years really are, we're indignant and feel betrayed.

Why are these things different? Why is the government evil and why are the hackers heroes?

So you all thought that putting a crayon-scrawled "keEp oUt" sign on your digital communications meant that no one anywhere on the planet would dare to sniff around? Do you really think the US government is the first and only body to attempt and succeed at this?

If you feel betrayed, then open your eyes and stop being so damn naive. If you're indignant, then write to the standards bodies and ask for real security. And until you get it, don't assume.

I'm actually ok with the idea that the NSA has worked actively to find ways to decrypt traffic on the internet. It's perfectly appropriate for their mission. They need to do that. And the better their understanding of how encryption can be broken, the better their understanding of how we can be protected from foreign interests trying to do the same thing.

What's not ok here is when they actively work to undermine our security. Weakening security protocols, installing backdoors. That is damage that can be exploited by them for their mission, but can also be exploited by anyone else. I didn't find it acceptable to spy on me in order to also spy on bad guys, I certainly don't find it acceptable to take active steps to make me vulnerable to bad guys just to make their job easier.

Quite the opposite, I expect the NSA should be identifying weaknesses in security protocol and patching them up. Ensuring our digital security is an important mission assigned to the NSA which they have not just neglected but have actively betrayed.

Thank you for the thoughtful reply. Given the level of expertise shown by many government agencies, I too worry about any of them taking responsibility for such broad security policies. And the thought that they're deliberately adding "features" which enable a targeted breach makes me shudder. But here is where we get to the crux of it - there's a difference between criticizing what they do and the doubts raised about how well they do it.

We agree that the NSA's charter is pretty much all over this process of data collection and decryption. What makes us nervous is the quality of the methods. Have they introduced more instability than they have removed? What is the innate level of integrity in this process? How thorough is the review of the final state? Until we understand some of these things, we can't really say much about the sentence that reads "deliberately weakening the international encryption standards adopted by developers." All we can do is take it as written.

Personally, I don't think the NSA is spying on us as it busies itself spying on the bad guys. First off, what would they get out of it? They want to know what pr0n sites I prefer? No problem. Knock yourself out. Second, I would think the CPU cycles are too valuable. They undoubtedly use some sophisticated pattern recognition as a first screen, and I doubt many of us fit those patterns, so why waste watts chasing pointless leads? Finally, any intel that leads to something actionable gets reviewed by humans, and that's where it gets really expensive.

Then there's the Fourth Amendment arguments, which the Supreme Court has already heard and ruled on, and which they'll rule on again probably before too long. I don't feel my papers or effects have been unreasonably searched or seized, but then I grew up in a world where if I wanted to send a note to someone I had to write it out by hand and put it in a mailbox. I doubt the NSA gets too involved with that.

So when "hacktivists" violate security protocols and break into corporate databases and gather data, it's all in the public good, in part because they've shown us just how weak and vulnerable our security methods are. At least, that seems to be the common reaction amongst many in the tech community.

But when a government agency shows us how weak and vulnerable the security protocols we've been relying on for years really are, we're indignant and feel betrayed.

Why are these things different? Why is the government evil and why are the hackers heroes?

So you all thought that putting a crayon-scrawled "keEp oUt" sign on your digital communications meant that no one anywhere on the planet would dare to sniff around? Do you really think the US government is the first and only body to attempt and succeed at this?

If you feel betrayed, then open your eyes and stop being so damn naive. If you're indignant, then write to the standards bodies and ask for real security. And until you get it, don't assume.

Why these things are different is because we expect thieves to try and rob us. We don't expect to find ourselves under attack from the very government we elect and finance with our tax dollars. And on a related note, the Romainian script kiddies don't have a $250 million annual budget to put into developing better ways to get into our shorts, like our government apparently does.

And by the way, no one ever thought properly used encryption was the equivalent of a crayon sign, because we believed the people we are supposed to be able to trust, and they lied to us.

If you are "under attack" then you can bring legal action (not against the government, but perhaps against the private standards body), but you must first show harm. Have you actually been harmed by this security breach?

What if the taxes you pay, the taxes that went into this program, are actually being used to protect you? Can you show that they're not?

We've been living with the aftershocks of the Snowden revelations for what, months now? And in all that time, with all that's been revealed, I've yet to hear someone, anyone, stand up and say "Oh, now I know why "x" happened to me. Now I understand why that harm occurred to me "y" years ago. The government was doing it to me all along. This all explains it."

Nothing. Nothing like that at all. Haven't heard a single thing.

Why not?

When the US government tramples my civil liberties and constitutional rights, that harms me. Whether I suffer any "actual" harm that would get me damages in a civil suit is irrelevant. Racial discrimination and voter suppression harm me even though I'm a white guy from a blue state. Government thugs don't have to break down my door and haul me away for me to be harmed by this destruction of my rights as an American.

What some people need to realize is that you do not own the internet. An analogy (although not a perfect one) would be driving on the highways. It is a privilege not a right and much like when you buy a car to access the roads and highways, you do not own them. When you buy your computer (smartphone, tablet or whatever) and pay your provider, it simply allows you to access the internet, it also does not mean you own it. The police have the right to observe anyone who chooses to utilize the public highway system (including inside your vehicle if your suspected of committing a crime). The same goes for web traffic if you choose to use the internets (including email, Facebook, Google searches, etc). Why do YOU feel entitled to privacy while using services that you don't own? By the way, the NSA is a necessary evil (if you will) because they also monitor terrorist networks and fascist governments (among others) which is their primary objective although i understand they also monitor for domestic issues. Would you rather they didn't exists and just take your chances with terrorist both foreign and domestic?

Feel free to set me straight if you disagree.

Monitoring is ok,But manipulating standards comities to support flawed security measures and forcing developers to implement back doors in their products is much more than just "monitoring the highway".

Take it from someone who has grown up in communist country, this is very dangerous.30 years ago government was not able to listen to all of the people all of the time, and that provided a way for people to get free. If government had something like this back then, I believe I would still be living in communist country.

We've been living with the aftershocks of the Snowden revelations for what, months now? And in all that time, with all that's been revealed, I've yet to hear someone, anyone, stand up and say "Oh, now I know why "x" happened to me. Now I understand why that harm occurred to me "y" years ago. The government was doing it to me all along. This all explains it."

Nothing. Nothing like that at all. Haven't heard a single thing.

Why not?

Hey this is America! We sue over coffee that's too hot.

Seriously, though. It's only a matter of time. Now that the NSA has proven (not just speculated) that encryption can be broken, it will be done by others. While we may not be able to get damages from the NSA, we will have "trusted" transactions hijacked in time. And let's not discount LOVEINT, spying on lovers that was rampant enough to warrant it's own inter-office term. From what's being discovered there's a clear mindset of "once you're in the club, we trust you 110%." Anyone who does any work in a modern IT setting knows that you don't let anyone have access to the whole kitten-caboodle, no matter how much you trust them. All it takes is a few jilted lovers to get a class-action lawsuit going and it won't take much to prove negligence in data management. But they'll just get a big payoff (from the taxpayers) and maybe someone will get a letter in their personnel file.

What some people need to realize is that you do not own the internet. An analogy (although not a perfect one) would be driving on the highways. It is a privilege not a right and much like when you buy a car to access the roads and highways, you do not own them. When you buy your computer (smartphone, tablet or whatever) and pay your provider, it simply allows you to access the internet, it also does not mean you own it. The police have the right to observe anyone who chooses to utilize the public highway system (including inside your vehicle if your suspected of committing a crime). The same goes for web traffic if you choose to use the internets (including email, Facebook, Google searches, etc). Why do YOU feel entitled to privacy while using services that you don't own? By the way, the NSA is a necessary evil (if you will) because they also monitor terrorist networks and fascist governments (among others) which is their primary objective although i understand they also monitor for domestic issues. Would you rather they didn't exists and just take your chances with terrorist both foreign and domestic?

Feel free to set me straight if you disagree.

I'm not from the US, but I understood that private communications didn't require ownership of the channel.

If I send a letter to you, isn't tampering with the mail a crime?

If I call you, isn't bugging the call a crime?

If I email you an encrypted file, is it now okay for the file to be decrypted and the original disseminated by a third party?

If I connect to my bank using an encrypted connection, is it now okay for that encryption to be broken and the details of my transactions recorded by a third party?

Should I have no expectation of privacy in any channel?

Lastly, speaking as a foreigner, I completely disagree that the NSA has done the US any good at all. They don't seem to have a great record on stopping attacks, but they're doing amazing damage to US commercial interests by telling the world "You cannot trust the US." I believe the NSA is a net loss for the US, and you'd be better off "taking your chances" with terrorists just as you did throughout your history prior to the last decade or so. You were doing pretty well.

So when "hacktivists" violate security protocols and break into corporate databases and gather data, it's all in the public good, in part because they've shown us just how weak and vulnerable our security methods are. At least, that seems to be the common reaction amongst many in the tech community.

But when a government agency shows us how weak and vulnerable the security protocols we've been relying on for years really are, we're indignant and feel betrayed.

Why are these things different? Why is the government evil and why are the hackers heroes?

So you all thought that putting a crayon-scrawled "keEp oUt" sign on your digital communications meant that no one anywhere on the planet would dare to sniff around? Do you really think the US government is the first and only body to attempt and succeed at this?

If you feel betrayed, then open your eyes and stop being so damn naive. If you're indignant, then write to the standards bodies and ask for real security. And until you get it, don't assume.

Why these things are different is because we expect thieves to try and rob us. We don't expect to find ourselves under attack from the very government we elect and finance with our tax dollars. And on a related note, the Romainian script kiddies don't have a $250 million annual budget to put into developing better ways to get into our shorts, like our government apparently does.

And by the way, no one ever thought properly used encryption was the equivalent of a crayon sign, because we believed the people we are supposed to be able to trust, and they lied to us.

If you are "under attack" then you can bring legal action (not against the government, but perhaps against the private standards body), but you must first show harm. Have you actually been harmed by this security breach?

What if the taxes you pay, the taxes that went into this program, are actually being used to protect you? Can you show that they're not?

We've been living with the aftershocks of the Snowden revelations for what, months now? And in all that time, with all that's been revealed, I've yet to hear someone, anyone, stand up and say "Oh, now I know why "x" happened to me. Now I understand why that harm occurred to me "y" years ago. The government was doing it to me all along. This all explains it."

Nothing. Nothing like that at all. Haven't heard a single thing.

Why not?

When the US government tramples my civil liberties and constitutional rights, that harms me. Whether I suffer any "actual" harm that would get me damages in a civil suit is irrelevant. Racial discrimination and voter suppression harm me even though I'm a white guy from a blue state. Government thugs don't have to break down my door and haul me away for me to be harmed by this destruction of my rights as an American.

And if you feel the US Government has violated your rights, you have redress through the Federal courts. Unfortunately, the Supreme Court has already ruled on this issue and the wire snoopers won - the Fourth Amendment had not been violated.

So yes, to bring a case you would want to do it based on actual harm, not on the Fourth Amendment.

It would be more interesting however if they put a backdoor not in the AES-NI functions but in TXT, Secure Boot, AMT, vPro,.... that would be a big problem....full unrestrcted low level access, under the OS.... but if someone leak this backdoor, Intel and almost everybody in the word would be in big trouble...

I am using a Lemote Yeelong, a netbook with a Loongson chip and a 9-inch display. This is my only computer, and I use it all the time. I chose it because I can run it with 100% free software even at the BIOS level.

I am relieved to see nothing obviously extraordinary about how they achieved the technical aspects of this, mostly via legal strong-arming, secret cooperation, and old fashioned subterfuge (e.g. backdoors in hardware and software).

If they do indeed have something more fundamental as far as breaking basic cryptographic hardness assumptions, I'd prefer it stay buried as that is truly chaos unleashed. So much depends on RSA and DL in particular.

I think that going forward, those interested in secure protocols and systems mostly need to take a very hard look at the entire picture. Commercial services including hardware manufacturing, CAs, operating systems, etc are all not to be trusted. This appears to be a war of attrition that they are remarkably successful with. It only takes one opening and they have countless vectors.

As a cryptographer, I think our community is really quite incapable of dealing with adversaries on this scale with such an incredible breadth of options for attacks, most of which totally sidestep our models. Where we hopefully can do better is with likely attack vectors on the crypto itself, e.g. PRNGs (a known weakness here could be DEVASTATING) and protocols resistant to leakage, but engineers have to figure out how to adopt them, make them practical and scalable, all without screwing up their theoretical security levels.

Finally, I know that many people are lionizing Snowden for these leaks, but be prepared for some really serious acceleration of the inevitable consequences leaking these insanely reckless techniques by NSA. Many governments worldwide will follow their lead with similar techniques, if they haven't already. Also, the leaks have painted a seriously juicy target on their back for hackers and espionage agencies worldwide, and let's not forget the NSA was incapable of defending itself against an insider attack by a sysadmin! They have truly played with fire and the result could be a sudden (or long-term) destabilization of the internet which in turn leads to catastrophic consequences for the global economy and society in general....

ARPAnet, developed by ARPA, later called DARPA, a part of the US Department of Defense, was the initial form of the modern day internet.

Read that and tell me with a straight face that its benefactors didn't have exactly this sort of thing in mind for its future. Okay, maybe not initially, but after proof-of-concept maybe.

The initial stated intent was to provide a decentralized means of communications in case major public communications were disrupted by war.

No, the initial intent was for ARPA-funded researchers to be able to share computers, because there had been a fiscally-troubling trend of researchers demanding many machines for their institutions. Baran and Davies had been theorizing that packet switched networks would be resistant to node failures, and able to redirect existing connections through new paths transparently because the intermediaries (now known as routers) weren't responsible for keeping session state. ARPA decided to build their required research network with new and unproven technology, but the network's purpose was essentially cost-savings and resource-sharing.

So when "hacktivists" violate security protocols and break into corporate databases and gather data, it's all in the public good, in part because they've shown us just how weak and vulnerable our security methods are. At least, that seems to be the common reaction amongst many in the tech community.

But when a government agency shows us how weak and vulnerable the security protocols we've been relying on for years really are, we're indignant and feel betrayed.

Why are these things different? Why is the government evil and why are the hackers heroes?

So you all thought that putting a crayon-scrawled "keEp oUt" sign on your digital communications meant that no one anywhere on the planet would dare to sniff around? Do you really think the US government is the first and only body to attempt and succeed at this?

If you feel betrayed, then open your eyes and stop being so damn naive. If you're indignant, then write to the standards bodies and ask for real security. And until you get it, don't assume.

Why these things are different is because we expect thieves to try and rob us. We don't expect to find ourselves under attack from the very government we elect and finance with our tax dollars. And on a related note, the Romainian script kiddies don't have a $250 million annual budget to put into developing better ways to get into our shorts, like our government apparently does.

And by the way, no one ever thought properly used encryption was the equivalent of a crayon sign, because we believed the people we are supposed to be able to trust, and they lied to us.

If you are "under attack" then you can bring legal action (not against the government, but perhaps against the private standards body), but you must first show harm. Have you actually been harmed by this security breach?

What if the taxes you pay, the taxes that went into this program, are actually being used to protect you? Can you show that they're not?

We've been living with the aftershocks of the Snowden revelations for what, months now? And in all that time, with all that's been revealed, I've yet to hear someone, anyone, stand up and say "Oh, now I know why "x" happened to me. Now I understand why that harm occurred to me "y" years ago. The government was doing it to me all along. This all explains it."

Nothing. Nothing like that at all. Haven't heard a single thing.

Why not?

How would you know? Even with all these leaks, what we've learned is that:

* When the NSA releases information to the DEA or other agencies, they use "parallel construction" to invent what is essentially a cover story for how they got the information. http://www.reuters.com/article/2013/08/ ... 9R20130805 So even if this information was used against you in court, the testimony against you would never mention the source, and would instead claim to discovered the information by completely different means and for different reasons.

To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”

So unless information was leaked about how this data was used in specific cases -- and we have seen nothing like that so far -- there is no way someone could come forward as you suggest and conclusively show these programs have harmed them. The cover-up is simply too thorough.

So when "hacktivists" violate security protocols and break into corporate databases and gather data, it's all in the public good, in part because they've shown us just how weak and vulnerable our security methods are. At least, that seems to be the common reaction amongst many in the tech community.

But when a government agency shows us how weak and vulnerable the security protocols we've been relying on for years really are, we're indignant and feel betrayed.

Why are these things different? Why is the government evil and why are the hackers heroes?

So you all thought that putting a crayon-scrawled "keEp oUt" sign on your digital communications meant that no one anywhere on the planet would dare to sniff around? Do you really think the US government is the first and only body to attempt and succeed at this?

If you feel betrayed, then open your eyes and stop being so damn naive. If you're indignant, then write to the standards bodies and ask for real security. And until you get it, don't assume.

Why these things are different is because we expect thieves to try and rob us. We don't expect to find ourselves under attack from the very government we elect and finance with our tax dollars. And on a related note, the Romainian script kiddies don't have a $250 million annual budget to put into developing better ways to get into our shorts, like our government apparently does.

And by the way, no one ever thought properly used encryption was the equivalent of a crayon sign, because we believed the people we are supposed to be able to trust, and they lied to us.

If you are "under attack" then you can bring legal action (not against the government, but perhaps against the private standards body), but you must first show harm. Have you actually been harmed by this security breach?

What if the taxes you pay, the taxes that went into this program, are actually being used to protect you? Can you show that they're not?

We've been living with the aftershocks of the Snowden revelations for what, months now? And in all that time, with all that's been revealed, I've yet to hear someone, anyone, stand up and say "Oh, now I know why "x" happened to me. Now I understand why that harm occurred to me "y" years ago. The government was doing it to me all along. This all explains it."

Nothing. Nothing like that at all. Haven't heard a single thing.

Why not?

When the US government tramples my civil liberties and constitutional rights, that harms me. Whether I suffer any "actual" harm that would get me damages in a civil suit is irrelevant. Racial discrimination and voter suppression harm me even though I'm a white guy from a blue state. Government thugs don't have to break down my door and haul me away for me to be harmed by this destruction of my rights as an American.

And if you feel the US Government has violated your rights, you have redress through the Federal courts. Unfortunately, the Supreme Court has already ruled on this issue and the wire snoopers won - the Fourth Amendment had not been violated.

So yes, to bring a case you would want to do it based on actual harm, not on the Fourth Amendment.

If you restrict yourself to reading the "letters" of the "law", and blindly trust the authority, without any regard for societal context and a changing reality, you might just possibly miss that the hole &%"#)D library is on fire...

"Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members."

I always wondered if SELinux, developed by the NSA, and was so easily accepted by the Linux community had a backdoor in it, I guess now I know.

I really don't care so much about my desktop but there are millions of Internet servers out there running a variation of SELinux under some branded Linux distribution.

Considering that it took just a few months of time before crackers took advantage of StuxNet "technology" to beef-up their malware, how long do we have till SELinux backdoors get ripped open by criminals?

Well, I think we've known for years that SSL is useless against the NSA, DEA or any other three letter government opponent. Any certificate based asymmetric encryption algorithm is obviously compromised because the government simply has to ask VeriSign for the private key. Not to mention all of the well-known man-in-the-middle attacks that can be performed. Same goes for any US, UK, or EU-based cloud service--by law, they have to have back doors for spooks, spies and drug warriors.

or hacking into their networks to steal encryption keys or surreptitiously alter their software or hardware.

Now this, at least, seems clearly against the law.

Why do some posters here keep claiming that the NSA works within the law?

Thats not whats been said, whats been said is that the SC has decided that its not against the Constitution per se, or at least it wasnt in past cases. What you are talking about has, afaik, never been tested in court with regards to the NSA.

"Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members."

I always wondered if SELinux, developed by the NSA, and was so easily accepted by the Linux community had a backdoor in it, I guess now I know.

I really don't care so much about my desktop but there are millions of Internet servers out there running a variation of SELinux under some branded Linux distribution.

Considering that it took just a few months of time before crackers took advantage of StuxNet "technology" to beef-up their malware, how long do we have till SELinux backdoors get ripped open by criminals?

The current versions of SELinux are open source. Its unlikely that a flaw exists in the software. If one existed it would most likely have been found by now.

Imagine for one second if someone other than NSA finds these backdoors, someone with a financial or political motive (like, I don't know, terrorist?). The entire financial, defence, communication structures of the WHOLE world could crumble and manipulated in ways that are beyond destructive. This isn't unheard of? How many times have we heard about an attacker who found a backdoor or a "default password" in an industrial equipment?

Well, I think we've known for years that SSL is useless against the NSA, DEA or any other three letter government opponent. Any certificate based asymmetric encryption algorithm is obviously compromised because the government simply has to ask VeriSign for the private key. Not to mention all of the well-known man-in-the-middle attacks that can be performed. Same goes for any US, UK, or EU-based cloud service--by law, they have to have back doors for spooks, spies and drug warriors.

From this USA perspective, it's always been understood that the FBI et al. domestic law enforcement would have an ability to subpoena what they needed, but this was always a very specific search and had an expectation of due process. Where is the due process here? If the NSA is prying into our explicitly private (encrypted) communications to peek for whatever they peek for, they have, once again, gone too far on domestic Internet activity. Anyway, the foreign agents that I'd think you really want to watch out for are smart enough to not be using PKI to undermine national security from within, to whatever extent such activity occurs.

The initial stated intent was to provide a decentralized means of communications in case major public communications were disrupted by war. However opening it up to everyone does provide a slick way of introducing big brother. Not saying I agree with your reasoning, but we both got to the same place in the end.

I read decentralized. For all the people feeling it's ok to spy on non-US citizens, remember putting geographic boundaries on internet is completely artificial - IP packets don't care about nationality.

Practically every physical lock can be lock picked. I don't understand what the big deal is. That is the NSA's job to try to figure out how to crack encryption of all kinds. I don't think these companies should be putting in backdoors, but that's a whole other conversation about the companies doing this not the NSA.

Is the government coercing the lock companies into making less secure locks? Can a motivated lockpicker wreak the same damage as the governments and individuals who are capable of exploiting weakened security that has been sold as something it's not?

The big deal isn't that the NSA is cracking encryption. The big deal is that the NSA is fundamentally weakening the security infrastructure of the internet, and that's only the scope of this particular story and not the broader issues of what seems like non-existent or minimal oversight and indifferent violation of the civil and legal rights of people worldwide.

The big deal isn't that the NSA is cracking encryption. The big deal is that the NSA is fundamentally weakening the security infrastructure of the internet, and that's only the scope of this particular story and not the broader issues of what seems like non-existent or minimal oversight and indifferent violation of the civil and legal rights of people worldwide.

You're never going to get them to agree that the NSA is doing anything wrong. If the NSA, as was written in the ProPublica editorial, devised a way to read minds, you'd have the same people here arguing that it was perfectly fine and legal.

Got to watch out for those terrorists, and that mind control device would reveal every single one. /s

The big deal isn't that the NSA is cracking encryption. The big deal is that the NSA is fundamentally weakening the security infrastructure of the internet, and that's only the scope of this particular story and not the broader issues of what seems like non-existent or minimal oversight and indifferent violation of the civil and legal rights of people worldwide.

You're never going to get them to agree that the NSA is doing anything wrong. If the NSA, as was written in the ProPublica editorial, devised a way to read minds, you'd have the same people here arguing that it was perfectly fine and legal.

Perhaps not, but hopefully it helps convince anyone who might be on the fence or is easily swayed by un-rebutted arguments, however poor they may be.

Practically every physical lock can be lock picked. I don't understand what the big deal is. That is the NSA's job to try to figure out how to crack encryption of all kinds. I don't think these companies should be putting in backdoors, but that's a whole other conversation about the companies doing this not the NSA.

Is the government coercing the lock companies into making less secure locks? Can a motivated lockpicker wreak the same damage as the governments and individuals who are capable of exploiting the weakened security?

The big deal isn't that the NSA is cracking encryption. The big deal is that the NSA is fundamentally weakening the security infrastructure of the internet, and that's only the scope of this particular story and not the broader issues of what seems like non-existent or minimal oversight and indifferent violation of the civil and legal rights of people worldwide.

I'm sorry, I'm unwilling to jump to that conclusion. They just claim they're weakening the infrastructure of the internet, but by how. The article, and I read this article this morning on the NY Times, vaguely states what the NSA is doing and as an IT person based on this new information I have no idea what I can change to make my networks more secure. They vaguely talk about SSL and VPNs and getting into them, but don't describe how. I've always assumed that encryption was not bullet proof. The idea is to make it sufficiently difficult to get in, not to pretend that its impenetrable.

I'm not for certain how much more transparent oversight we can give to such a clandestine organization. Personally I think code breaking is a valuable national asset. I'm will to accept that a lot of how it operates is going to be on a need to know basis. We have to have rules that are honored that prevent the organization from nefariously using their capabilities against US citizens, but again I stand by my analogy.

This is no different than the physical world. You don't worry that a SWAT team is going to show up to your house and smash in the door to see what you're doing even though SWAT teams clearly have this capability. There's rules in place and legal avenues to explore if they do something like that. We just need to make sure that individuals have recourse.

I'm all for opening those channels. I think Google and Microsoft should have every right to tell the public or consumers what the Government has asked for. I don't believe that the Lavabit founder should be legally silenced. Those are the rules and laws that need to be addressed not the NSA's capabilities.

And here we come to the end of the line since that's really what it is. We now have 100% empirical evidence that the governments of the free world view personal privacy like a piece of toilet paper; to be used and discarded at their whim. Doubt this? Here's the one quote that, literally, left me feeling cold all over:

"Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters."

I'll raise you the one from the head of the GCHQ that said, "If you have nothing to hide, you have nothing to fear."

I've seen many a suggestion on what, if anything that citizens of any elected representative government can do to stop this insanity, but none so far have suggested what my limited (albeit local) experience is in; if they ignore you and/or stay on their eat-this course of action, run against them or get somebody else to.

At the local level, it'd be hard to count how many times citizens in my village have heard local officials dismiss them in short, terse, nonchalant ways. From the tax collector to the high sheriff, it was once a big problem for us. There was no service in "public service" until the thought occurred to a frustrated voter one day that, if you can't win, run against 'em and they did. The man didn't win, but the very public (and televised) airing of his beefs with the official he was running against brought about more change than his previous many years of writing letters to the newspaper and complaining at town council meetings. When I tried to speak with the tax collector about some problems with his office, I was told that wasn't going to happen and he refused to speak with me. He'll have to speak this coming January when I run against him for the office.

I say what a concerned public should do is find and vote for technically astute individuals with the primary agenda to rein in the "No Supervision Agency". It can be done. Start at the lowest political level in your government that affects national policies on privacy. Our regional national representative has been making the rounds on his pre re-election tour for the race next year. So far, no one has mentioned anything about spying on the citizenry or privacy issues. One alternative candidate could do that and make some good points doing it. All that's needed is at least one willing citizen in each district. Thhinnk about it.

If you really want to keep your communications private then you need to have secret and private encryption schemes so that even if your email is decrypted it's meaningless to an observer who isn't in on the secret. Keeping such schemes secret is difficult when you're dealing with large organizations, but relatively easy for a small group devoted to a cause. Wouldn't you know it, the very people the NSA is looking for, the people they're supposedly protecting us from are in the best position to keep their communications secret.

Rather than spy on everyone hoping to find a few zealots driven by hatred of America, maybe the best course of action for the USA is to stop trying to be the world's police force, stop trying to influence foreign elections, basically stop trying to tell every other society on the planet how to live and what to believe in. Americans, of all people, should understand the taking up of arms against another country trying to tell them what to do.

Is the government coercing the lock companies into making less secure locks? Can a motivated lockpicker wreak the same damage as the governments and individuals who are capable of exploiting weakened security that has been sold as something it's not?

Government (OSHA in this case) is already coercing building owners' rights to lock their doors for a long time.

You can also google for widely adopted IRC R310.1 "Emergency Escape and Rescue Openings for Residential and Institutional Occupancies." You municipality most likely is already coercing the builders to put in numerous large and accessible opening rather than allow more secure buildings with solid wall and single entrance/exit.

Similarly, a lot burglary can be prevented if home owners are allowed to weld solid steel bars to the windows, but that's not allowed in my locality.

Not saying that NSA is at same point of trade-off/balancing point, but there are already plenty of analogs in realm of physical securities.

Practically every physical lock can be lock picked. I don't understand what the big deal is. That is the NSA's job to try to figure out how to crack encryption of all kinds. I don't think these companies should be putting in backdoors, but that's a whole other conversation about the companies doing this not the NSA.

Is the government coercing the lock companies into making less secure locks? Can a motivated lockpicker wreak the same damage as the governments and individuals who are capable of exploiting the weakened security?

The big deal isn't that the NSA is cracking encryption. The big deal is that the NSA is fundamentally weakening the security infrastructure of the internet, and that's only the scope of this particular story and not the broader issues of what seems like non-existent or minimal oversight and indifferent violation of the civil and legal rights of people worldwide.

I'm sorry, I'm unwilling to jump to that conclusion. They just claim they're weakening the infrastructure of the internet, but by how. The article, and I read this article this morning on the NY Times, vaguely states what the NSA is doing and as an IT person based on this new information I have no idea what I can change to make my networks more secure. They vaguely talk about SSL and VPNs and getting into them, but don't describe how. I've always assumed that encryption was not bullet proof. The idea is to make it sufficiently difficult to get in, not to pretend that its impenetrable.

I'm not for certain how much more transparent oversight we can give to such a clandestine organization. Personally I think code breaking is a valuable national asset. I'm will to accept that a lot of how it operates is going to be on a need to know basis. We have to have rules that are honored that prevent the organization from nefariously using their capabilities against US citizens, but again I stand by my analogy.

This is no different than the physical world. You don't worry that a SWAT team is going to show up to your house and smash in the door to see what you're doing even though SWAT teams clearly have this capability. There's rules in place and legal avenues to explore if they do something like that. We just need to make sure that individuals have recourse.

I'm all for opening those channels. I think Google and Microsoft should have every right to tell the public or consumers what the Government has asked for. I don't believe that the Lavabit founder should be legally silenced. Those are the rules and laws that need to be addressed not the NSA's capabilities.

Well, I disagree, I don't consider these statements "vague" (from the NYT):

Quote:

According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws, according to the documents.

At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.

Quote:

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

Ok, having stated my disagreement... The fact that you do agree Google and Microsoft should be permitted to say what they have done (and been required to do) is a big step. I think it's clear that, if they actually stated what they have done, the rest of the point would be proven.

But since leaks are continuing.... tell me, hypothetically, what would the NSA have to do for you to consider them to have crossed the line? Is there anything? Mass surveillance? Making you less secure? Agents passing around your emails for laughs? Investigating political opponents? Altering election results in the US? I think you should decide now, just in case we reach whatever point you pick.

No we didn't. As GCHQ state, this program is "extremely fragile". All we have to do is switch to encryption products which are not compromised. It seems like The Guardian etc. have decided to keep quiet about just which products those are, but there is no indication that open source encryption products are broken. Indeed this ability to circumvent encryption seems to substantially be about backdoors which the NSA has managed to install in commercial closed-source products. Now that we know for a fact that such products are not trustworthy (whereas before we merely strongly suspected this) we can strive to avoid them.

Don't want to sound sensational, but the implications of this will be huge. The NSA may think they are the only one with the keys to all of these vulnerabilities, backdoors, and taps, but history has shown us time and time again that agencies can be infiltrated and people can be bought out. This will be used against us.

Thankfully Snowden acted in the interest of the American people, but what about the Chinese? Iran? North Korea?